Follow the steps below to add a custom Security Risk Exception for a Mac client from the SEPM.

Launch the Symantec Endpoint Protection Manager.

To create a blank Centralized Exceptions policy, under the Policies view, select the Centralized Exceptions option, then click Add a Centralized Exceptions Policy. Enter a name for the policy and then click OK.

You can also modify a Centralized Exceptions policy currently in use in the group in which your Mac client (or clients) reside.

Enter the file or folder path and then click OK. Macintosh file paths use forward slash ( / ), not backslash ( \ ). A leading forward slash is not required if a prefix is chosen. As well as the prefix choices, SEP for Macintosh supports a range of wildcard matches:
* matches zero or more characters (all characters, including slashes in a path)
? matches a single character (again, all)
[ ] matches a single character against a list and/or range of characters
^ matches a single character other than character or range following (used with [ ])

Note that subfolders are automatically part of an excluded folder, but compressed archives won't be excluded unless you add a trailing asterisk.

To save the changes to the policy, click OK, then OK again. If this is a new policy, you will be asked to assign the policy. Assign it to the group/s in which the Mac client/s reside. It will override any Centralized Exception policy already assigned to this group.

To complete this process and exclude this file/location from real time scanning by Auto-Protect, you must also perform the additional step:

While still in the Policies section of the SEPM, click on Antivirus and Antispyware in the left pane, then open the Antivirus and Antispyware policy in use by the group/s in which the Mac clients reside.

In the new window that pops up, in the left pane under Mac Settings, click on File System Auto-Protect.

Under Scan Details, under General Scan Details, click on the button next to Scan everywhere except in specified folders.

As well as the prefix choices, SEP for Macintosh supports a range of wildcard matches:
* matches zero or more characters (all characters, including slashes in a path)
? matches a single character (again, all)
[ ] matches a single character against a list and/or range of characters
^ matches a single character other than character or range following (used with [ ])

For example, the SEP quarantine file is sometimes included in Time Machine backups, and causes undesirable AutoProtect detections on the backup volume. This file (QuarantineFile.qtn) can be excluded by name, under all paths, with the following exception: